[Dovecot] Help needed: Index filesystem permissions problem after switch to V1.2 and back to V1.1
After V1.2 had been up for a while, I started seeing tons of syslog error messages like this:
Nov 5 09:11:52 mercury mail:err|error dovecot: IMAP(sdean): stat(/var/dcindx/sdean/.imap/DadEstate) failed: Permission denied (euid=202(sdean) egid=200(hcrc) missing +x perm: /var/dcindx)
Ownernship and Permissions are:
The index filesystem
2726 root@mercury:/var/dcindx ## ls -ald
drwx--S--- 3946 dovecot system 192512 Nov 05 08:59 ./
A user's directory is:
2729 root@mercury:/var/dcindx ## ls -al sdean
total 400 drwx--S--- 7 sdean sys 256 Sep 29 04:43 ./ drwx--S--- 3946 dovecot system 192512 Nov 05 08:59 ../ drwx--S--- 139 sdean sys 8192 Sep 29 04:43 .imap/
and for the directory with the problem:
2731 root@mercury:/var/dcindx ## ls -al sdean/.imap/DadEstate total 48 drwx--S--- 2 sdean sys 256 Sep 29 04:43 ./ drwx--S--- 139 sdean sys 8192 Sep 29 04:43 ../ -rw------- 1 sdean sys 408 Jan 14 2009 dovecot.index -rw------- 1 sdean sys 18432 May 05 2009 dovecot.index.cache -rw------- 1 sdean sys 828 Jan 14 2009 dovecot.index.log
I switched back to V1.1, but the situation persists
dovecot -n:
# 1.1.15: /usr/local/etc/dovecot.conf
# OS: AIX 3 0001378F4C00
listen: *:143
ssl_listen: *:993
disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
login_processes_count: 12
login_max_processes_count: 774
max_mail_processes: 1024
verbose_proctitle: yes
first_valid_uid: 200
mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=/var/dcindx/%u
mbox_write_locks: fcntl
mbox_dirty_syncs: no
auth default:
passdb:
driver: pam
userdb:
driver: passwd
-- ==== Once upon a time, the Internet was a friendly, neighbors-helping-neighbors small town, and no one locked their doors. Now it's like an apartment in Bed-Stuy: you need three heavy duty pick-proof locks, one of those braces that goes from the lock to the floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, Bard College, New York 12504 sdean@bard.edu voice: 845-758-7475, fax: 845-758-7035
In desperation I changed the permissions on /var/dcindx with a chmod o+x so that it is now: drwx--S--x which quieted that avalanche of error message. Still, what *should* the permissions and ownership be?
I'm also seeing these messages, which I've discovered were happening before I did the migration:
Nov 5 09:36:06 mercury mail:err|error dovecot: IMAP(ahinds): mkdir(/var/dcindx/ahinds/.imap/Apple M ail To Do) failed: Permission denied Nov 5 09:37:06 mercury mail:err|error dovecot: IMAP(ahinds): mkdir(/var/dcindx/ahinds/.imap/Drafts) failed: Permission denied
ahinds is a valid user. There is no ahinds directory (as there should be) under /var/dcindx
Stewart Dean wrote:
After V1.2 had been up for a while, I started seeing tons of syslog error messages like this:
Nov 5 09:11:52 mercury mail:err|error dovecot: IMAP(sdean): stat(/var/dcindx/sdean/.imap/DadEstate) failed: Permission denied (euid=202(sdean) egid=200(hcrc) missing +x perm: /var/dcindx)
Ownernship and Permissions are: The index filesystem 2726 root@mercury:/var/dcindx ## ls -ald drwx--S--- 3946 dovecot
system 192512 Nov 05 08:59 ./A user's directory is:
2729 root@mercury:/var/dcindx ## ls -al sdean
total 400 drwx--S--- 7 sdean sys 256 Sep 29 04:43 ./ drwx--S--- 3946 dovecot system 192512 Nov 05 08:59 ../ drwx--S--- 139 sdean sys 8192 Sep 29 04:43 .imap/
and for the directory with the problem:
2731 root@mercury:/var/dcindx ## ls -al sdean/.imap/DadEstate total 48 drwx--S--- 2 sdean sys 256 Sep 29 04:43 ./ drwx--S--- 139 sdean sys 8192 Sep 29 04:43 ../ -rw------- 1 sdean sys 408 Jan 14 2009 dovecot.index -rw------- 1 sdean sys 18432 May 05 2009
dovecot.index.cache -rw------- 1 sdean sys 828 Jan 14 2009
dovecot.index.logI switched back to V1.1, but the situation persists
dovecot -n:
# 1.1.15: /usr/local/etc/dovecot.conf # OS: AIX 3 0001378F4C00 listen: *:143 ssl_listen: *:993 disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_processes_count: 12 login_max_processes_count: 774 max_mail_processes: 1024 verbose_proctitle: yes first_valid_uid: 200 mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=/var/dcindx/%u mbox_write_locks: fcntl mbox_dirty_syncs: no auth default: passdb: driver: pam userdb: driver: passwd
-- ==== Once upon a time, the Internet was a friendly, neighbors-helping-neighbors small town, and no one locked their doors. Now it's like an apartment in Bed-Stuy: you need three heavy duty pick-proof locks, one of those braces that goes from the lock to the floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, Bard College, New York 12504 sdean@bard.edu voice: 845-758-7475, fax: 845-758-7035
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 5 Nov 2009, Stewart Dean wrote:
Hello,
In desperation I changed the permissions on /var/dcindx with a chmod o+x so that it is now: drwx--S--x which quieted that avalanche of error message. Still, what *should* the permissions and ownership be?
There is no default answer for this question, except: so that all uids used are able to create directories under /var/dcindex .
E.g. if all your users are mapped to one uid, you may use this uid.
If you use system users, who are all member of one group, have "g+xw" and chgrp /var/dcindex to this group as well.
Your error message seem to indicate, that you should use:
1777
as for /tmp, because you have a range of uids and gids.
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSvLsonWSIuGy1ktrAQK64Af9FbN75zBgezrFg4w+OOfpa0P+HhL/1dph rOP27Ye/yLKkwDRB7hMHZWWNlo5BcuS1+xPYxG7TtUAGtYp95qAj8YpoauoAGdhr MI2Cm4oAp+4BfkQ+FWJVkmbjo3TppDqaNEYfvl0wtm/ii6+sU9SvxZuJnLUzkbeD nWkdAgx7UrryoRIaPElKBz1hmPLR0qpEesp2BscdyqOmJJcvQqAAYbtvEp6ZlTWT XQmlc5+Xf/ZaxzKXVeS1CpKlfdDoBgCB3ToQeOiwZieYbrcUQ01Mpgxdr4eJ7mdE JYMRv9XUE+ua5xnOZfZItWt3r05/qaCNIwOsjE2ybKnBWsKMPmd7Rg== =uAGV -----END PGP SIGNATURE-----
Steffan's answer was good. Also:
On Thu, 2009-11-05 at 09:24 -0500, Stewart Dean wrote:
2726 root@mercury:/var/dcindx ## ls -ald
drwx--S--- 3946 dovecot system 192512 Nov 05 08:59 ./
Don't use "dovecot" user for ANYTHING. It's used internally by login processes. There should be no files in filesystem owned by dovecot user.
participants (3)
-
Steffen Kaiser
-
Stewart Dean
-
Timo Sirainen